What you should consider when choosing a password manager

Many security experts feel that passwords are no longer sufficient to keep online accounts safe from hackers, but we're still a long way from widespread adoption of biometrics and alternative methods of authentication.

Most of us are stuck with using passwords as the primary keys to our online lives, so we should at least strive to follow best security practices when it comes to managing them. This includes using long and complex passwords or phrases that can withstand brute-force attacks, using separate passwords for every online account and changing those passwords periodically.

The thought of doing all that can be intimidating, but fortunately there's an entire class of programs called password managers that can automate most of the process. Password management implementations vary, from the rudimentary password-storing features in most browsers to specialized products that synchronize the saved passwords across different devices and automatically fill log-in forms as needed.

Many password management services provide add-ons for different browsers, stand-alone applications for desktop and mobile platforms and even give users the ability to access their password vaults online. They're highly convenient, but if used incorrectly they can lead to a single point of failure, since almost all of them rely on one master password to unlock all other saved passwords.

What you need to know

Users should carefully consider the security models of the password management applications they intend to use. For cloud-based implementations that provide online access and synchronization, it is important to understand how the service provider stores users' data on its servers and whether it ever has access to the user's master password.

Some providers use a zero-knowledge model, where they only store an encrypted copy of the password vault on their servers. Then, contents of the vault get synchronized with the client applications or are sent in encrypted form to the user's browser during online access. The decryption process is always done locally, based on the user's master password, which is never shared with the service provider or sent over the Internet.

In this case, the company's servers are only used for storing encrypted copies of the password vaults and in the case of a server compromise attackers would not get keys to access the passwords stored inside. LastPass, Dashlane, 1Password and Mitro, the last of which recently went open-source after being acquired by Twitter, are some of the providers that claim to use such implementations.

Double down

However, this model does not protect against client-side attacks. For example, attackers could still obtain users' master passwords if they infect their computers with keylogging malware. That's why it is also important to choose a password manager application that offers two-factor authentication.

This form of authentication combines something you know -- the master password -- with something you have, like a mobile phone or a hardware token. The most common implementation of second authentication factors are one-time-use codes that are received via text messages or generated using special mobile applications like Google Authenticator. Fortunately, most of the popular cloud-based password management services currently offer some form of multi-factor authentication, but it's best to double-check before choosing one.

Two-factor authentication prevents attackers from accessing a user's password vault from a different computer or device by using a stolen master password. However, they could still use an existing malware infection to piggyback on a user's active password manager session and access their online accounts via the local browser, especially if the auto-login option is turned on. Auto-login features may be convenient, but can also be fraught with peril. Users should think carefully about whether they want to activate them.

It's also best to use password management applications that can automatically log off the user after some time of inactivity, especially if the browser is kept open for long periods of time or if someone else might have access to the computer while the user is away. This might not always protect against active malware on the computer, but it does add another layer of security.

Users may also be tempted to flag a device as trusted. Many password management applications offer an option of skipping the second authentication step in the future on a given device once they've completed a two-factor authentication with it. While convenient, this method assumes an attacker will never gain control over that device, which is not always the case, so users should carefully consider whether they can live with inputting the second factor every time.

Don't rely just on a password manager

One of the primary benefits of using a password management application is that it allows the use of different complex passwords for every account without having to remember them all. However, it's equally important for the user's master password to be strong so that it can resist brute-force attacks.

Users who find it hard to remember complex passwords that include digits, lower-case and upper-case letters and even special characters, should try using long pass phrases as their master passwords instead. These are sequences of random real words that make up hard-to-guess phrases and provide the same or even better level of protection against brute-force attacks as a strong password, but are easier to remember. Pass phrases can also be used for critical accounts that need to be accessible even if when the password management application or server is unavailable for some reason.

Finally, many of the largest online services, such as Facebook and Gmail, are now offering two-factor authentication themselves, so even if you're using a password manager and follow best security practices in general, turn on two-factor authentication whenever it's available. It can make a really big difference, especially if your password manager does get compromised.

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.